FIG. 1 illustrates a conventional network with an intrusion detection system. The network comprises a communications link 104 over which packets are transmitted between an unsecured zone 102, either within the network or from outside the network, and a secure zone 108 within the network. The secure zone 108 may be protected by a firewall or some other protective device. Some networks also have a network intrusion detection system (NIDS) 110. The NIDS detects attempts by “hackers” and other malicious users to break into or disrupt the network. Generally, NIDS's are passive devices that examine every packet transmitted over the communication link 104 for patterns of interest, also known as intrusion detection signatures. Upon finding a packet with the pattern of interest, the NIDS 110 informs the system operators and appropriate action is taken.
However, the vast majority of packets are not from “hackers” or malicious uses. Thus, the NIDS 10 performs a task analogous to looking for “a needle in a haystack.” A significant amount of the resources of the NIDS 110 is therefore consumed by examining packets without the pattern of interest, significantly limiting the resources available to find packets with the pattern of interest.
Accordingly, there exists a need for an improved method and system for detecting attempted intrusions into a network. The method and system should reduce the resources of an NIDS required to identify packets with the patterns of interest without compromising performance or substantially increase the performance of the system for the same given NID resource. The present invention addresses this need.